|
By Brian Clark
On May 22 and May 23, 2026, an attacker republished hundreds of malicious versions under historical release tags for four community-maintained Laravel localization libraries that are published on Packagist under the laravel-lang namespace.
|
By Ranko Cupovic
Today, we're announcing two new integrations with Anthropic that cover both sides of AI-assisted development. Evo by Snyk now integrates with Anthropic's Claude Enterprise, giving security and compliance teams a complete inventory of their Claude environment models, approved MCP servers, per model risk signals, and tool-level permissions in the platform they already use to govern the rest of the stack.
|
By Tom Nielsen
Snyk started as a classic product-led growth company. For our first two years, we didn't need a sales team — the product sold itself to developers. That's a rare thing, and we're proud of it. It meant we had genuine product-market fit before we had a go-to-market motion. But markets evolve, and so did we. Today, AI coding agents are generating code at a velocity that significantly outpaces the ability of security teams to review it.
|
By Liran Tal
The ink was barely dry on our coverage of the AntV Shai Hulud supply chain attack when a new compromise surfaced in the Python ecosystem. The target this time is durabletask, an open source Python package associated with Microsoft, used for building durable, fault-tolerant workflow orchestration on top of the Durable Task Framework. The latest safe version of durabletask is 1.4.0, and three known versions have been yanked from the PyPI registry.
|
By Liran Tal
A supply chain attack affecting the @antv data visualization ecosystem and related npm packages is actively spreading through the npm registry. The attack, attributed to a threat group called TeamPCP and branded as another wave of the Mini Shai-Hulud campaign, published more than 300 malicious package versions across 323 packages in a 22-minute automated burst on May 19, 2026. The packages collectively represent approximately 16 million weekly downloads.
|
By Brian Vermeer
On May 14, 2026, multiple malicious versions of the popular npm package node-ipc were published to the npm registry. Current public reporting identifies node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 as compromised versions containing an obfuscated credential-stealing payload. The malicious code was added to the CommonJS bundle, node-ipc.cjs, and is triggered when the package is loaded through require("node-ipc").
|
By Stephen Thoemmes
On May 11, 2026, between 19:20 and 19:26 UTC, 84 malicious npm package artifacts were published across 42 packages in the @tanstack namespace. The packages were not published by an attacker who stole credentials; they were published by TanStack's legitimate release pipeline, using its trusted OIDC identity, after attacker-controlled code hijacked the runner mid-workflow. The malicious versions spread to Mistral AI, UiPath, and dozens of other maintainers within hours.
|
By Snyk
BOSTON, May 7, 2026 — Snyk, the AI security company, today announced it is leveraging Anthropic's Claude models to advance software security in an era of AI-powered development. Starting today, Snyk has integrated Claude into the Snyk AI Security Platform — powering automated vulnerability discovery, prioritization, and developer-ready fixes across code, dependencies, containers, and AI-generated artifacts. The threat driving that integration is real and accelerating.
|
By Stephen Thoemmes
On April 30, 2026, two malicious releases of the popular lightning PyPI package were published, affecting the deep learning framework formerly distributed as pytorch-lightning. Versions 2.6.2 and 2.6.3 ship a hidden _runtime directory that downloads the Bun JavaScript runtime from GitHub at import time and uses it to execute an ~11 MB obfuscated credential stealer. The last clean release is 2.6.1, published January 30, 2026.
|
By Stephen Thoemmes
On April 29, 2026, attackers published malicious versions of four npm packages in the SAP development ecosystem: mbt, @cap-js/db-service, @cap-js/sqlite, and @cap-js/postgres. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime from GitHub Releases and uses it to execute an ~11.6 MB obfuscated credential stealer.
|
By Snyk
235,000 installs per week. That’s how quickly developers are downloading AI agent skills — packages that give AI coding agents new capabilities like shell access, file system operations, cloud access, and deployment permissions. But unlike traditional npm packages, agent skills introduce a completely new security problem: natural language instructions that AI agents can interpret and execute autonomously.
|
By Snyk
On May 11, 2026, the TanStack namespace was hit by a "Mini Shai-Hulud" supply chain attack. Unlike typical attacks, this did not involve stolen credentials; instead, the threat group TeamPCP hijacked the legitimate GitHub Actions release pipeline. This video covers the technical details of the OIDC token extraction, the "Dead Man's Switch" that triggers a rm -rf / upon credential revocation, and the mandatory remediation order you must follow to save your data. We also discuss how to harden your workflow using release-age cooldowns and OIDC pinning.
|
By Snyk
Are you confused by the terminology surrounding AI coding tools? You aren't alone. In this video, we break down the four essential components that transform a basic LLM into a powerful coding agent: Rules, Skills, Hooks, and the Model Context Protocol (MCP).
|
By Snyk
GPT-5.5 vs Claude Opus 4.7 - two flagship AI models dropped one week apart, and both claim to be the best at agentic coding. We put that to the test by giving each model the exact same prompt: build a production-ready, secure note-taking application from scratch. But we didn't stop at reviewing the code. We actually tried to break it by running real security tests against each app to see whether AI-generated code can be trusted with user data. The results were not what we expected.
|
By Snyk
Cursor just dropped Composer 2.0, claiming it rivals (and even beats) the industry’s leading frontier models like GPT-5.4 and Claude Opus 4.6. But do the benchmarks match reality?
|
By Snyk
In this video, we explore the growing security risk of prompt injection in large language model (LLM) applications. As AI becomes embedded in more products, new vulnerabilities emerge, especially through natural language manipulation. We break down how LLMs work, the importance of system prompts, and demonstrate five real-world prompt injection techniques used to extract sensitive information or bypass safeguards. You’ll see live examples using different models and learn why newer models are more resilient, but still not immune.
|
By Snyk
We pit GitHub Spark (in public preview) against Replit's AI agent. The challenge? Build a fully functional community forum for DIY tips from a single prompt. We compare design aesthetics, mobile responsiveness, login security, and deployment speed to see which tool creates a truly production-ready application. Which one do you think deserved the win? Let me know in the comments!
|
By Snyk
In the second match of our Vibe Coding Challenge series, we put two powerhouse AI platforms to the ultimate test: Vercel’s v0 and Base 44. We gave both platforms the exact same prompt: build a DIY Home Repair community forum.
|
By Snyk
Which AI tool is better for building a real app without writing code, Bolt or Lovable? In this video, I put both AI app builders head-to-head using the exact same prompt to create a DIY home repair forum. From database setup to authentication, UI design, publishing, and security checks, we compare how each platform performs in real time. The goal isn’t just to generate something that looks like an app, it’s to see whether these tools can actually create something usable, functional, and potentially production-ready. We evaluate.
|
By Snyk
Join Vandana and Rob in this insightful webinar exploring the rapidly evolving landscape of AI security. As we shift from simple query-response models to complex autonomous agents that can plan, execute code, and access sensitive APIs, the traditional security "locks" are no longer sufficient. This session dives deep into the OWASP AI Exchange, a community-driven initiative providing practical guidance and technical controls for securing AI systems.
|
By Snyk
This book will help both development and application security architects and practitioners address the risk of vulnerable open source libraries and discuss why such vulnerable dependencies are the most likely to be exploited by attackers.
|
By Snyk
Forrester conducted a customer study to get insights into why organizations choose Snyk to help them tackle and implement developer-first security. Read the report to dive into the benefits, cost and value ROI for Snyk.
|
By Snyk
This book reviews how the serverless paradigm affects the security of an application, and dives into the benefits it brings.
|
By Snyk
Snyk's annual State of Open Source Security Report 2020 is here. Download it now to learn how Open Source security is evolving.
|
By Snyk
81% of security and development professionals believe developers are responsible for open source security - but many organizations are still unsure how to start building a culture and practice of DevSecOps. Puppet & Snyk's study is digging deeper into the trends of DevSecOps adoption.
|
By Snyk
"Shift left" has become the holy grail for security teams today but organizations are still struggling to successfully implement some of the key processes that shifting security left entails. A new study sponsored by Snyk and conducted by Enterprise Strategy Group (ESG) has found that while developers are indeed being given more responsibility for testing their applications for security issues, they simply don't have the knowledge or right set of tools to do so.
|
By Snyk
The 2020 Gartner Market Guide for SCA is here! Recent Gartner survey finds that over 90% of organizations leverage OSS in application development - and as a result, security of open source packages was the highest ranked concern for respondents. These concerns have led to a growing market, addressed by various vendors for SCA tools that mitigate the risk of OSS. New trends emerge with devops on the rise - as the market shifts towards developer-friendly SCA tools.
- May 2026 (12)
- April 2026 (13)
- March 2026 (13)
- February 2026 (25)
- January 2026 (14)
- December 2025 (15)
- November 2025 (16)
- October 2025 (20)
- September 2025 (19)
- August 2025 (35)
- July 2025 (20)
- June 2025 (30)
- May 2025 (16)
- April 2025 (24)
- March 2025 (34)
- February 2025 (28)
- January 2025 (25)
- December 2024 (32)
- November 2024 (19)
- October 2024 (37)
- September 2024 (32)
- August 2024 (34)
- July 2024 (32)
- June 2024 (34)
- May 2024 (35)
- April 2024 (29)
- March 2024 (11)
- February 2024 (13)
- January 2024 (21)
- December 2023 (20)
- November 2023 (31)
- October 2023 (29)
- September 2023 (13)
- August 2023 (25)
- July 2023 (17)
- June 2023 (31)
- May 2023 (23)
- April 2023 (20)
- March 2023 (24)
- February 2023 (21)
- January 2023 (18)
- December 2022 (22)
- November 2022 (33)
- October 2022 (40)
- September 2022 (36)
- August 2022 (36)
- July 2022 (18)
- June 2022 (22)
- May 2022 (25)
- April 2022 (31)
- March 2022 (43)
- February 2022 (30)
- January 2022 (28)
- December 2021 (44)
- November 2021 (27)
- October 2021 (26)
- September 2021 (27)
- August 2021 (20)
- July 2021 (19)
- June 2021 (23)
- May 2021 (29)
- April 2021 (22)
- March 2021 (33)
- February 2021 (12)
- January 2021 (13)
- December 2020 (2)
Snyk is an open source security platform designed to help software-driven businesses enhance developer security. Snyk's dependency scanner makes it the only solution that seamlessly and proactively finds, prioritizes and fixes vulnerabilities and license violations in open source dependencies and container images.
Security Across the Cloud Native Application Stack:
- Open Source Security: Automatically find, prioritize and fix vulnerabilities in your open source dependencies throughout your development process.
- Code Security: Find and fix vulnerabilities in your application code in real-time during the development process.
- Container Security Find and automatically fix vulnerabilities in your containers at every point in the container lifecycle.
- Infrastructure as Code Security Find and fix Kubernetes and Terraform infrastructure as code issues while in development.
Develop Fast. Stay Secure.